Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work

Benjamin Kaduk kaduk at MIT.EDU
Fri Mar 13 11:53:44 EDT 2015


On Fri, 13 Mar 2015, Robert Wehn wrote:

> - - klist
>   -> TGT for jane at REALM
> BUT!
>   -> localuser can still access alice's files
>   -> localuser can never access jane's files
>   -> no new NFS service ticket fetched or needed till the end
>      of the ticket lifetime
>
> What doesn't help:
> - - logout and login as localuser
> - - restart gssd
>
> What helps:
> - - Unmount NFS, remount.
>
> The NFS client part of the linux-kernel seems to cache the NFS service
> tickets used for every combination local UID and mounted filesystem.

I don't actually run any NFSv4 myself, but my understanding from
IRC/mailing lists is that the caching has a TTL of roughly a couple hours.

See Brandon's response as well, but from a security perspective, the
kernel NFS implementation is wrong to cache things for so long, especially
without providing a way to invalidate a cached entry.

-Ben Kaduk


More information about the Kerberos mailing list